06. SmartWAN Portal

This is a guide for users to use the security operating center portal of OpenSASE/XDR.

Authentication

SmartWAN Portal Login

When you access the SmartWAN Portal, you will encounter the login screen as shown in the image below. This screen allows users to authenticate and access the portal's features.

image.png

Input Fields:

Additional Authentication Options

image.png

The "Additional Login Services Menu" provides options to assist users with authentication-related tasks on the SmartWAN Portal login screen. This menu can be accessed by clicking the vertical "⋮" (three dots) icon in the top-right corner of the login screen.

Menu Options

  • Verify Registered Email Address or ID: Allows users to verify their registered email address or ID to ensure they are using the correct credentials for login.
  • Reset Password:  Provides an option for users to reset their password if they have forgotten it or need to update it for security reasons.
  • Request an Account: Enables new users to request an account if they do not already have one, initiating the account creation process.

Some features described above are currently in the prototype stage and are scheduled for future implementation.


Verification Registered Email Address of ID

image.png

As part of the user verification process in the SmartWAN Portal, the "Verify Registered Email Address or ID" option allows users to confirm their credentials using a PassKey. 

image.png

PassKey Verification: Alternative Option:

ResetPassword

image.png

After selecting the "Reset Password" option from the "Additional Login Services Menu" on the SmartWAN Portal, users are directed to the following screen to verify their identity before resetting their password.

image.png

PassKey Verification: Alternative Option:

image.png

Once the user’s identity is successfully verified using a PassKey or phone number, the SmartWAN Portal provides a screen to change the password. This screen allows users to set a new password following the specified guidelines.

Request an Account

image.png

After selecting the "Request an Account" option from the "Additional Login Services Menu" on the SmartWAN Portal, users are directed to the following screen to verify their identity before resetting their password.

image.png

PassKey Verification:

Alternative Option:

image.png

This screen allows users to request a new account by providing their PassKey-verified phone number, email address, and name. After verifying the email availability, users can submit the request using the "Request Account" button.

Input Fields:

image.png

This screen confirms the successful submission of the account request, informing the user that the result will be sent to their email. Users can then click "Go to Login" to return to the login screen and sign in with their new account.

User Information and Notifications

image.png

After logging in, you can see the user information adjacent to the top-right corner.

스크린샷 2025-04-01 오후 12.42.01.png

Click on the user information to view additional settings menus and the current status of notifications. Options such as "Logout" and "Account Management" are available for the user to sign out or manage their account settings.

스크린샷 2025-04-01 오후 12.42.40.png

Real-time Alerts

If any alerts need to be provided to the user, an alert message will be displayed on the left side of the screen in real time.

image.png

Assigned Case Notification

image.png

If a user has assigned cases that remain unresolved, a popup notification will appear after logging in to the SmartWAN Portal. This Assigned Case Notification alerts the user to the open cases that require attention.

Logout

You can log out by clicking the log-out button in the user information.

image.png

Dashboard

Getting Started

Logging In with an Accessible User Account

To begin, log in using a user account with access privileges.
You can find more options for user authentication.

스크린샷 2025-03-30 오후 7.53.58.png

This guide is based on SKT’s SmartWAN Portal. Updates will be continuously applied to reflect future changes.


Pre-Configured Dashboards

The system currently offers three pre-configured dashboard types for users.
The visualization of data provided by the SmartWAN Portal is categorized into three distinct types. Upon accessing the SmartWAN Portal, the default landing page is fixed to the Agency Dashboard.

image.png

Currently, the dashboards are configured for the monitoring purposes of SKT’s agency SmartWAN system.


Event Dashboard (under development)

The Event Dashboard delivers aggregated information and status management insights for Incidents, Alerts, Threats, and other data collected from various data sources.

스크린샷 2025-03-30 오후 5.33.21.png


Agency Dashboard

The Agency Dashboard provides visualized status information on network and security events for agencies where SmartWAN CPE (Customer Premises Equipment) is installed, displayed through an interactive map interface.
There are 2 monitor dashboards

스크린샷 2025-03-30 오후 7.21.07.png


Agency monitoring

image.png

Map View

image.png

This view offers a comprehensive overview of all agency locations and detailed information segmented by major cities. It aggregates and classifies network and security events into four categories. Block, Critical, Minor, and Info.

Event levels are defined by SKT's requirements.

Agency List

스크린샷 2025-03-30 오후 8.20.03.png

When a specific region is selected in the Map View, the dashboard displays a list of agencies registered in that region, along with detailed information on the Network Status (CPE) and Security Status (SDP) for each agency.

View details of the agency

To access an agency's detailed information:

  1. Go to the Agency List in the dashboard

  2. Click the desired agency name

  3. The system will load the detailed agency view

Network View

This view provides a granular view of both network performance and security status for the selected agency. Users can toggle between Network View and Security View to access specific metrics.

image.png

The dashboard is divided into two main tabs:

Displays hardware and connectivity details:

Network Performance Metrics data(Live) for troubleshooting:

Lists recent events with types and levels:

Column Description Example
Type Event category (Network/Security). Network
Event Description of the issue. CPE ETH0 Link Down
Level Severity: InfoHighCritical. Critical
Time Timestamp (HH:MM:SS.milliseconds). 16:13:31.00256

Security View

This view provides comprehensive monitoring and management capabilities for the selected agency, displaying real-time network status, user information, security events, and service connectivity. The interface is divided into multiple sections for efficient administration.

스크린샷 2025-03-30 오후 8.21.48.png

User Management Section

Agency Policy & Configuration

Security Monitoring

Agency Groups

스크린샷 2025-03-30 오후 7.32.12.png

The Agency Group section provides a summary of agency counts per region and detailed status information for CPE.

Event List

스크린샷 2025-03-30 오후 7.39.42.png

The Event List section displays a table of recent events, providing detailed information including the event type, name, severity level, and timestamp for all recorded incidents.
Columns: Examples:

System monitoring

image.png

SecureEdge point of presence

image.png

It shows SecureEdge's distributed architecture. The visual indicators show system statuses, and on the bottom, highlight critical/security events of the agency.

This monitoring supports SKT's internal operations only, providing real-time monitoring of their SecureEdge deployment through redundant controllers and gateways at each location.

Agency List 

It's the same as the agency list in Agency Monitoring.

Events List

It's the same as the events list in Agency Monitoring.


Risk Scoring (under development)

This dashboard provides a consolidated view of network security compliance, threat protection status, and regulatory adherence for monitoring and reporting purposes.

스크린샷 2025-03-31 오전 12.48.43.png

The current visualization serves as a prototype. We will develop optimized data representation formats aligned with operational objectives during the implementation phase.

Detection & Response


Cases

The user can access the cases menu, which is under Detection & Response.

image.png

Case List

The Case List screen in the SmartWAN Portal, accessible under the "Detection & Response" section, provides a detailed list of cases generated by analyzing event logs. This screen allows users to view and manage security and network-related incidents efficiently.

image.png

Key Features

The items provided in the Case List may be modified in the future based on evolving requirements.

Case Filtering

image.png

After selecting a customer, the case table updates to reflect cases specific to that customer, ensuring users can focus on relevant incidents.
Customer Selection: Multi-Tenant Support:

image.png

The Select an Asset dropdown on the Case List screen allows users to filter cases by specific assets. It lists assets such as "Seoul IDC LW3007," "T-Store Pangyo LW2308-4G," and "Daejeon IDC LW7009." Users can select an asset and click "Selection Confirmed" to update the case list.

image.png

The Advanced Search feature on the Case List screen allows users to refine their case search with additional filters. Accessible via the "Advanced Search" button, it includes options to select a customer, asset, severity level (e.g., Critical, High), and enter a search keyword. Users can apply these filters by clicking the "Search" button to update the case list.

Case Details

The Case Details popup in the SmartWAN Portal is displayed when a user selects a case from the Case List screen. This popup provides detailed information about the selected case, including event specifics and related events, to assist users in analyzing and managing.
Case Information

image.png

Detailed Case Information:

Case Management

The Case Management tab in the Case Details popup outlines the steps for handling a case in the SmartWAN Portal.
The procedures guide users through the process of managing a case from opening to closure. Below is a summary of the steps involved.

Case Management Procedure Table

Step Procedure Description
1 Case Open Initiates the case and assigns it to a user.
2 Initial Investigation Conducts preliminary analysis of the incident.
3 Prioritization Assigns a priority level to the case.
4 Analysis and Response Performs detailed analysis and responds to the incident.
5 Containment and Mitigation Implements measures to contain and mitigate the issue.
6 Recovery and Remediation Restores systems and applies fixes to prevent recurrence.
7 Case Closure Closes the case after resolution.
8 Post-Incident Review Reviews the incident for lessons learned.
Step 1. Case Open

image.png

Purpose: The "Case Open" step marks the beginning of the case management process. When a case is identified (e.g., a traffic-related event on a Juniper asset), it is opened in the system, and relevant details are recorded.
Details Displayed:
Step 2. Initial Investigation

image.png

Purpose: The "Initial Investigation" step involves evaluating the case details and associated events to confirm whether the incident is a legitimate threat that requires further action.
Instructions Provided: Action:
Step 3. Prioritization

image.png

Purpose: The "Prioritization" step involves evaluating the case based on its severity and impact to determine the urgency of response. This helps in allocating resources effectively and addressing high-priority incidents first.
Instructions Provided: Action:
Step 4. Analysis and Response

image.png

Purpose: The "Analysis and Response" step aims to analyze the root cause of the threat, identify the affected assets and scope, and develop a response strategy to mitigate the incident.
Instructions Provided: Action:
Step 5. Containment and Mitigation

image.png

Purpose: The "Containment and Mitigation" step aims to limit the spread and impact of the incident by isolating affected systems and applying necessary security measures.
Instructions Provided: Action:
Step 6. Recovery and Remediation

image.png

Purpose: The "Recovery and Remediation" step aims to fully resolve the incident by addressing its root cause, restoring systems or networks to their normal operational state, and applying preventive measures to avoid recurrence.
Instructions Provided: Action:
Step 7. Case Closure

image.png

Purpose: The "Case Closure" step marks the completion of the case handling process, confirming that the incident has been resolved and all necessary actions have been taken.
Instructions Provided: Action:
Step 8. Post-Incident Review

image.png

Purpose: The "Post-Incident Review" step aims to summarize the lessons learned from the incident response process and strengthen future security measures to better handle similar threats.
Instructions Provided: Action:
Report Generation

image.png

After completing all eight steps in the Case Management process, including the Post-Incident Review, a confirmation message is displayed in the SmartWAN Portal. 

Notification Setting 

image.png

The Alert Subscription Settings screen in the SmartWAN Portal allows users to customize how they receive notifications for cases. This screen is accessed by clicking the "Notification Settings" button on the Case List screen.
Users can configure various aspects of alert subscriptions, including the type of notifications, severity levels, assignees, recipients, and additional metadata, ensuring they are informed about relevant cases in a timely manner.
Subscription Information

image.png

Subscription Information: Assignee and Recipient Management: Additional Fields
Subscription Note

image.png

The Subscription Note screen, accessible via a tab in the Alert Subscription Settings popup, allows users to add and save notes related to an alert subscription. Users can enter text in a provided text box and save the note for future reference.

Real-Time New Case Alert

The SmartWAN Portal provides real-time notifications to alert users of new cases while they are actively using the platform. This feature ensures that users are promptly informed of critical incidents, allowing for immediate action to address potential threats.

image.png

Home Screen

 

Some features described below are currently in the prototype stage and are scheduled for future implementation.

1.jpg

Upon logging in to the SmartWAN Portal, the Home Screen automatically appears, providing a comprehensive overview of network and security events across locations worldwide.

Widgets

image.png

1. Traffic Widget

2. Site Overview 

3. Top5

4. Case

5. World Map(Map view)

6. Threat case trends

7. Today's Case Distribution

8. Today's Case Summary

9. Case

10. Network Summary Metrics

The widgets provided on the dashboard may be modified in the future based on evolving requirements.

Map Submenu

After logging in to the SmartWAN Portal, the Home screen displays the world map by default, featuring a world map in the "Map View." On the right side of the map, users can access additional options through the Map Submenu.

image.png

Click the vertical "⋮" (three dots) icon to open the Map Sub Menu. This menu allows users to filter and view site information based on specific criteria

image.png

Map Sub Menu with the "Select Country & Region" dropdowns and the resulting site list after applying filters.

image.png

Filtering Sites by Country and Region

The Map Sub Menu provides filtering options to narrow down the list of sites displayed on the dashboard.

image.png

The image above shows the Map Sub Menu with the country filter set to South Korea and the region dropdown expanded, displaying available regions. The map and site list reflect the filtered view for South Korea, with detailed metrics for each site.

Overview

1.jpg

SmartWAN Portal

The SmartWAN Portal provides a centralized, real-time interface for comprehensive security monitoring and management across hybrid IT environments.
Designed to integrate on-premises and cloud-based security data, the dashboard offers a unified view of an organization’s security posture, enabling proactive threat detection, alert management, and streamlined compliance tracking.
The portal offers a variety of dashboards, including the Agency Dashboard, Event Dashboard, and Threat Scoring Dashboard, each tailored to specific monitoring needs. Upon accessing the SmartWAN Portal, users are directed to the default Agency Dashboard, which provides visualized status information on network and security events for agencies with installed SmartWAN Customer Premises Equipment (CPE). Additional features, such as user authentication, event lists, and detailed agency monitoring, empower users to manage incidents effectively and maintain operational security.

Report

Event Report

The Event Report menu can be found in the Report section of the left sidebar.

image.png

Event Report List

image.png

The Event Report menu in the SmartWAN Portal displays a list of generated reports for events.
Accessible under the "Report" section, it includes filters for selecting a customer, asset, and date range, a search bar for reports by name or ID, and an "Advanced Search" option.

Event Report Details

The Event Report Detail Screen in the SmartWAN Portal is displayed when a report is selected from the Event Report menu. It provides a comprehensive view of the report, organized into multiple sections accessible via tabs at the top of the screen.

Report Sections (Tabs) Table

Tab Number Section Name Description
I Overview Provides a summary of the report, including title, ID, reporter, date, and analysis period.
II Statistics Displays statistical data related to the case, such as event counts and asset details.
III Analysis Details the analysis of the case, including root cause and impact assessment.
IV Remediation Outlines the remediation steps taken to resolve the incident.
V Conclusion Summarizes the outcomes and conclusions of the case response.
VI Recommendations Offers recommendations to prevent similar cases in the future.
I. OverView

image.png

The Event Report Detail Screen under the "Overview" tab (I) includes the following items, each serving a specific purpose:

II. Statistics
The Statistics tab (II) in the Event Report Detail Screen of the SmartWAN Portal provides statistical insights into the incident, helping users understand the severity, urgency, and distribution of related events.

image.png

This image displays a partial section of the complete report.


Statistics Report Summary

Section Purpose Key Details
Threat Case Classification Prioritizes security cases based on severity and urgency. Severity: Measures threat danger (Low/High).
Urgency: Measures response time needed (Low/High).
Matrix: Combines both (e.g., High Severity + High Urgency = Critical).
Distribution of Related Events Visualizes how related security events spread across time/systems. - Tracks event frequency and patterns.
- Aids in identifying attack scope and hotspots.
List of Related Events Groups events with shared attributes to uncover attack sequences. Grouping Criteria:
Common Indicators: Shared IPs, users, devices.
Time Correlation: Events in close proximity.
Attack Patterns: Matches MITRE ATT&CK tactics.
Behavior Analysis: Suspicious chains (e.g., file execution → external connection).
Threat Intelligence: Matches known IOCs.

Threat Case Classification Matrix

Severity \ Urgency Low Urgency High Urgency
Low Severity Minor threat; resolve later. Less critical but needs prompt handling.
High Severity Serious threat; no immediate action. Critical; requires immediate response.

Key Takeaways

  1. Prioritization: Clear severity/urgency tiers streamline incident response.

  2. Pattern Analysis: Distribution and event grouping reveal attack trends.

  3. Correlation: Multi-criteria linking (time, behavior, IOCs) enhances threat detection.

III. Analysis

The Analysis tab (III) in the Event Report Detail Screen of the SmartWAN Portal provides in-depth threat pattern analysis, response effectiveness, and correlations between threat factors.

image.png

This image displays a partial section of the complete report.

Threat in Similar Case Occurrences and Responses

Section Purpose Key Details
Threat in Similar Case Occurrences Analyzes the frequency and severity of past security threats over a specified period. - Tracks threat patterns (e.g., monthly trends).
- Visualizes data to identify critical/high-risk periods.
Threat in Similar Case Responses Evaluates the effectiveness of organizational responses to past threats. - Assesses response strategies (e.g., speed, methods).
- Identifies areas for improvement.

Threat Factor Correlation Analysis

Section Purpose Key Details
Threat Level Distribution of Related Factors Maps the severity levels (Critical/High/Moderate/Low) of linked threat factors. - Highlights high-risk elements (e.g., IPs, users).
- Aids in prioritizing response actions.
Probability Distribution of Risk Levels Quantifies the likelihood of each risk level occurring among correlated factors. - Uses statistical analysis (e.g., "60% Moderate risk").
- Supports predictive threat assessment.

Correlation Rules: Time-based or entity-based logic is applied to detect complex attack patterns.

Threat Scores: Calculated based on severity, context, and threat intelligence to guide decision-making.

IV. Remediation

Remediation tab (IV) in the Event Report Detail Screen of the SmartWAN Portal provides threat mitigation actions, including detection, containment, recovery, and preventive measures for resolved security cases.

image.png

Remediation Report Section

Section Purpose Explanation
Detection of Malicious Traffic Identify and analyze suspicious network activities Uses SIEM/IDS to detect anomalies like port scanning or unusual connections.
Multiple Failed Login Attempts Prevent brute-force attacks and unauthorized access Monitors repeated login failures, locks accounts, blocks suspicious IPs, and enforces stronger authentication (e.g., MFA).
Detection of Abnormal File Access Protect sensitive data from unauthorized access or exfiltration Alerts on unusual file access patterns (e.g., mass downloads). Includes user verification and role-based access reviews.
Execution of Unauthorized Applications Block potentially harmful software execution Detects unapproved apps (e.g., TeamViewer), terminates processes, and enforces app control policies (e.g., allowlisting).
V. Conclusion

The Conclusion tab (V) in the Event Report Detail Screen of the SmartWAN Portal provides a synthesis of key findings about cases and indicators of attack.

image.png

Section Overview

Section Purpose Explanation
Conclusion To synthesize key findings about cases. Provides a high-level analysis of similarities in attack methods (e.g., code reuse, C2 communication) to link incidents to known threat actors or campaigns. Helps analysts identify operational patterns.
Indicator of Attack To map observed tactics to standardized frameworks for threat categorization and response planning. Aligns attack techniques (e.g., spearphishing, steganography) with MITRE ATT&CK tactics (e.g., T1566.001). Enables defenders to prioritize mitigations based on proven threat models.
VI. Recommendations
The Recommendations tab (VI) is the final section of the Event Report Detail Screen in the SmartWAN Portal.
This tab provides actionable suggestions and best practices to prevent similar incidents in the future. It focuses on improving security measures, addressing vulnerabilities, and enhancing response strategies based on the incident analysis.

image.png

A sample PDF file of the Event Report described in this guide is available for download. You can access the full report, including all sections (Overview, Statistics, Analysis, Remediation, Conclusion, and Recommendations).

Sample PDF download: ANRN-00936.pdf (APPEX Networks user only)